如何驗證Certbot對免費Let's Encrypt證書的續期是否會成功

如何驗證Certbot對免費Let's Encrypt證書的續期是否會成功,可以分解成2個問題,1.驗證定時任務是否存在。 2.驗證續期操作是否能成功

驗證定時任務是否存在

1
2
3
4
5
6
7
8
root@localhost:~# sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Wed 2022-12-07 02:08:51 UTC; 22h ago
    Trigger: Thu 2022-12-08 04:56:59 UTC; 3h 49min left
   Triggers: ● certbot.service

Dec 07 02:08:51 localhost systemd[1]: Started Run certbot twice daily.

如果存在上述定時任務,則定時是成功的。 在較新的版本中定時任務是在安裝時自動設置的,無需手工設置。

驗證續期操作是否能成功

使用certbot renew命令驗證,執行以後會驗證所有certbot管理的域名

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
root@localhost:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/abc.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for ijoke.fun and abc.com and www.abc.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/knightli.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for knightli.com and www.knightli.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/abc.com/fullchain.pem (success)
  /etc/letsencrypt/live/knightli.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

看到all simulated renewals succeeded說明都能成功

常見的不成功的例子

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
root@localhost:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/abc.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for abc.com and www.abc.com
Failed to renew certificate abc.com with error: Could not bind TCP port 80 becau
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/knightli.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for knightli.com and www.knightli.com
Failed to renew certificate knightli.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/abc.com/fullchain.pem (failure)
  /etc/letsencrypt/live/knightli.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

以上是不成功的例子,不成功的原因是當時申請證書時使用的是standalone方式,在申請和續期時certbot都會自己搭建一個http服務,如果這是你的服務器運行了其他http服務器,就會導致失敗。

這是需要修改certbot的配置文件就可以成功

在目錄/etc/letsencrypt/renewal/下找到你的域名對應的配置文件

1
2
3
4
5
root@localhost:~# ll /etc/letsencrypt/renewal
drwxr-xr-x 2 root root 4096 Dec  7 02:59 ./
drwxr-xr-x 9 root root 4096 Dec  8 01:09 ../
-rw-r--r-- 1 root root  530 Dec  7 02:59 abc.com.conf
-rw-r--r-- 1 root root  545 Dec  7 02:59 knightli.com.conf

修改對應的配置文件

1
2
3
4
5
6
原有
authenticator = standalone

修改成(適用於nginx服務器的情形)
authenticator = nginx
installer = nginx
记录并分享
Built with Hugo
Theme Stack designed by Jimmy